HACKERS can remotely kill people fitted with pacemakers by turning off their life-saving treatments or delivering fatal shocks, researchers have discovered.
They also found that wireless attacks could breach patient privacy, revealing personal details.
Experts Eduard Marin and Dave Singelée, from KU Leuven University, Belgium, hacked 10 implantable medical devices and pacemakers.
The pair managed to hack pacemakers’ channel from up to five metres away, giving them the opportunity to send malicious messages delivering fatal shocks and cutting off therapies.
The Register reports they could also breach patient privacy, read device information disclosing location history, treatments, and current state of health.
No physical access was need to pull off the hacking attacks.
The report relating to the research warns “Adversaries may eavesdrop the wireless channel to learn sensitive patient information, or even worse, send malicious messages to the implantable medical devices.
“The consequences of these attacks can be fatal for patients as these messages can contain commands to deliver a shock or to disable a therapy.”
Experts say attackers could install beacons at train stations and hospitals to see where patients are going and to discover their normal locations, before triggering a reprogramming session to steal this personal data.
The hacking could also include denial of service attacks which send continuous messages draining the battery life of the pacemaker.
Researchers concluded many of the new devices had “serious security weaknesses”.
Their work is detailed in the On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them [PDF] authored by Marin and Singelée, KU Leven colleague Bart Preneel, Flavio D. Garcia and Tom Chothia of the University of Birmingham, and cardiologist Rik Willems of University Hospital Gasthuisberg.